Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 11 Jul 2011 20:22:54 +0400
From: Solar Designer <solar@...nwall.com>
To: Ludwig Nussel <ludwig.nussel@...e.de>
Cc: oss-security@...ts.openwall.com, Michael Matz <matz@...e.de>,
	Thorsten Kukuk <kukuk@...e.de>, Andreas Jaeger <aj@...e.de>,
	Zefram <zefram@...h.org>
Subject: Re: CVE request: crypt_blowfish 8-bit character mishandling

On Mon, Jul 11, 2011 at 04:39:08PM +0200, Ludwig Nussel wrote:
> Solar Designer wrote:
> >[...]
> >Also, it brings up the question: why merely use $2a$ running the new
> >code rather than fully emulate the bug even for newly set passwords,
> >which would make all passwords work, even on other networked machines?
> >Sure, that would be even nastier for security, so maybe you managed to
> >strike a balance well.  But nevertheless the question is there.  One of
> >your options results in full backwards compatibility at a security cost
> >(for the local system), but the other somehow chooses to strike a
> >balance between compatibility and security without achieving either of
> >these fully (for a network of systems).
> >
> >Maybe you can afford to drop BLOWFISH_2y to avoid those inconsistencies?
> >I imagine that people won't know to enable this option unless/until they
> >have already run into an issue anyway (that is, someone is already
> >unable to log in).  At this point, they could likely upgrade the rest of
> >their networked systems as well... or downgrade this one. ;-(
> 
> I'm not sure I understand what you are suggesting.

I am not exactly suggesting anything specific as I don't know your
priorities, but I point out the inconsistency.

My preference would be that you don't implement that BLOWFISH_2y option -
always have new hashes generated as 2y, even though this means that
networked systems need to be upgraded to new package versions in sync.

> Keep using the buggy
> algorithm for new passwords and keep storing them as 2a

I'd be unhappy about that, but it's a valid option to provide if you
want to minimize user annoyance, including for networked systems that
are not upgraded in sync (but are manually configured for this...)

> as long as BLOWFISH_2a2x is turned on?

No, you'd need a separate option (or a tri-state option) such that
there's a way for non-networked systems to gradually migrate to 2y
hashes without annoying any users.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.